safe_mode off by default?

[ad7742]

Hi

Can anyone let me know if their server has safe_mode off by default? My last installs have done and it's really insecure...

I'm using RedHat Enterprise Linux 3 (fully patched) and Plesk 7.5 Reloaded (fully patched).

My php.ini file is set to have safe_mode off, and also it's also set to off in the main Plesk httpd.include file (i.e. the one in /etc/httpd/conf/). I just wanted to see if it's something I'm doing wrong during the install (which I'm pretty certain isn't the case...) or if it's default - i.e. does everyone else have this?

For your info, having safe_mode off essentially gives any client SSH access to the web server, logged in as Apache. I was recently introduced to a php script that does this.

For security reasons, I'm not going to post any more info on the php script here.

I was shown the script by a client (of all people...) who thankfully didn't realise how powerful the login was - he was just showing me that it let him browse any folder on the server. However, I did a test and successfully compiled a "helloWorld.c" C program using gcc. It ran as the user "apache"; therefore any files (including the httpd config files) could be edited by this login. Basically, any client could really break the server.

Any feedback would be appreciated.

Regards

Andy

 

[jimroe]

The status of PHP Safe Mode is really determined by the OS and what version you have and what you may do during / after the installation. Historically, PHP would install with safe_mode Off and register_globals On but neither is a safe setting.

On all new servers, the first thing I do is turn safe_mode On, register_globals Off and allow_url_fopen Off. Then the site code has to be written to run under those settings. If my some chance I have to support a PHP application that requires register_globals On or safe_mode Off, I do this in the context of that domain in a vhost.conf file.

 

[Herby]

This is exactly what I am trying to do right now.

Only prob is that I dont know how the vhost.conf should look like for this matter.

Could some1 please post a vhost.conf for just changing php safe mode to off and globals on
?
this would be great.

tia
herby

 

[manarak]

I would be happy too if someone could explain how to do this with Plesk on the server. Will the vhost settings be overwritten / what is the best thing to do?

 

[jamesyeeoc]

Change your /etc/php.ini file to globally set Safe_mode, then for domain by domain settings, use:

Sample vhost.conf (non-SSL)

<Directory /home/httpd/vhosts/domain.com/httpdocs>
php_admin_value safe_mode 0
/home/httpd/vhosts/domain.com/httpdocs:/tmp:/usr/share/pear
php_admin_value register_globals on
</Directory>

safe_mode value can be either 0 or 1

If you needed open_basedir, then add:
php_admin_value open_basedir

And every RH9/Plesk install I have ever done, the default php setting is safe_mode off.